Hacker Safe - ScanAlert….only a matter of time…how funny is this?
ScanAlert recently were sold to McAfee as I posted here a while ago. Good luck to them! But seriously, running a basic VA test and selling that as a full blown website security review/solution was always a bit of BS! Marketing over actual ability yet companies get duped! How smart is this Geeks mob to think a logo on their website and a basic VA meant they were secure?!
Checkout this story about Geeks.com being hacked and have a look at the “Hacker Safe” logo on the site! LOL
This is the same mob aligned with Visa in Asia Pacific that does PCI Quarterly scanning for many merchants. Hey, they got their accreditation under the SDP program under the PCI Security Standards Council business, so they can. But selling the VA under the pretense that you are safe from Hackers is just misleading and bullshit! It was only a matter of time!
Further, (and I once again disclose that I have a close relationship with Qualys), everytime we have run QualysGuard on a site that had been passed by ScanAlert, we have found issues! The old security vs. compliance story. One example:
We met with one large payment gateway a year or so ago that was using ScanAlert for their PCI quarterly scanning. We suggested they try QualysGuard as an alternative solution. They agreed to a trial so we ran the scans. (We told them this is a basic VA, not a full web security review - tools can’t do that..people do that). Where previously, they had passed, they now failed badly!
They chose to stay with ScanAlert - the IT Security Manager told me bluntly; “ScanAlert passed us and QualysGuard failed us….management decided that we would go with the one that passed us!”
WTF you say? 
There is no better VA system out there than QualysGuard but QualysGuard is just one part of a larger exercise in a website security review. Mobs like this were bound to get stung eventually.
Related post:
http://beastorbuddha.com/2007/10/16/integrity-of-annoucing-new-silver-bullets/#comments
January 12th, 2008 at 7:05 pm
Marketing or Security?
http://www.scanalert.com/site/en/merchants/intro/
http://www.scanalert.com/site/en/certification/howitworks/
http://www.scanalert.com/site/en/certification/success/
http://www.scanalert.com/site/en/certification/imageplacement/
January 12th, 2008 at 11:07 pm
@SFB…yeah….50M….what can you say? Good luck to them.
McAfee may decide to be honest and say to all their [ScanAlert] clients, “no…it does not give you protection from “hackers”…..it just minimises the risk a little…!”
Cynical? Yeah….but am used to it!
Everyone send an email to McAfee and ask their position if you want. That would make for interesting reading.
DD
January 13th, 2008 at 6:13 am
Not funny at all Drazen.
As you pointed out, ScanAlert is at the core of the Payment Card Industry
(PCI) certification for VISA in Asia Pacific:
http://www.scanalert.com/site/en/partners/payment/
There’s even a press release describing the free scanning service, aka
silver-bullet, powered by ScanAlert:
http://images.scanalert.com/pdf/press/2005_09_15_pr.pdf
Ok, let’s sit back and rewind… VISA International offers a free scanning
service using ScanAlert tool, the same technology which certifies Geeks.com
as ‘Hacker Safe’ on a daily-basis (I’m not kidding, check their website).
The fortress Geeks.com has nevertheless been hacked and Visa credit card
information ‘may’ have been compromised (I like the ‘may’ bit). An
unfortunate chain of events that is probably going to cost VISA some money,
not including the cost of reissuing all stolen credit cards.
Geeks.com has most certainly paid ScanAlert for the privilege of showing off
their ‘Hacker Safe’ seal on their website, assuring their customers of
protection from credit card fraud and identity theft (which should make you
reach for your card in confidence when shopping online, like the
all-too-happy Internet users on the http://www.scanalert.com frontpage).
However, VISA International is offering the same scans for free, in an
effort to protect their merchants and processors under the PCI standard.
Let’s just pray that the free service is better than the paid-for one!
It was only a matter of time.
Time’s up.
January 15th, 2008 at 7:55 am
Lets not get too cynical & pious here ladies & gentlemen.
The ‘Hacker Safe’ logo, quite obviously means *exactly* what it says.
Safe … for hackers !
January 15th, 2008 at 8:45 am
LOL BG….but there is merit to the argument you put forward. How many organisations would potentially neglect basic good practice on their web environment because they believed this was the solution to all their security requirements? (ie; leaving them in a false sense of security so to speak).
I can’t see how people could not be misled and this be mis-interpreted. It says “Hacker Safe”! If you’re Hacker Safe, why bother with practices and processes around the environment when this seems to do it all.
So yeah, safe for hackers - potentially very likely if organisations have neglected other areas of security because of this assurance from ScanAlert.
As an aside, when we do this type of testing for clients, (using skilled specialists and supported by many third-party and in-house developed tools - because one tool just cannot do this as mentioned), we always have disclaimers - there is only so much you can assure for (with new attack vectors and vulns. coming out every day). We’ve been asked about putting our logo on sites before to state that the site is secure, but we cannot in all honesty allow that to happen because we cannot guarantee what will happen the second we finish the testing due to internal organisational and external events on the site.
January 15th, 2008 at 11:12 pm
This seems to be the standard response from ScanAlert in every Blog I have seen. I am surprised that it has not come up in BorB. Maybe you worry them:-) Here’s what I have seen in other blogs from the US at least: LOL….as you said nothing but BS!
ScanAlert’s Response to Geeks.com Hacked Article
So far, no one knows exactly what happened, when it happened, or whether this breach occurred on the Geeks.com web site or somewhere else. There is no evidence that this web site was hacked while it was certified HACKER SAFE. In fact, all of the information that ScanAlert has gathered so far indicates that this breach did not happen while Geeks.com was certified HACKER SAFE.
- ScanAlert
January 15th, 2008 at 11:40 pm
No one in the industry would say that, so they cannot be considered part of us. It is “people” like this that give us a bad name! Every one of us needs to be loud. We are getting screwed!
January 18th, 2008 at 11:08 pm
@SFB, thanks dude…it is marketing over substance! There is no doubt about it in this case as you say.
This scenario is like shooting fish in a barrel…..there is nothing they can come back with…..and to date, they have not! Maybe BorB is not on their radar.
In previous posts, I do get press/marketing dudes from guys I bag defending their products and offering up meeting to discuss the “situation”…..they go no where…..but so far, nothing from McAfee in this scenario. From a business perspective, they probably know that silence is the best approach…..and then the BS marketing starts again!
Come on McAfee….prove me wrong!
January 21st, 2008 at 4:41 pm
Okay, I have been accused of jumping on the bandwagon to push QualysGuard but please note, this was an aside and I do always disclose my relationship so you can make your own calls on this….but I also like to think I am also open in talking about the limits of these systems regardless of who they are. It may have clouded my message somewhat of these “logos” and what they stand for. I hope not. I stand by that. I don’t think I have read any other IT security blog that has differed too much from what I have said here. I’m not the exception here but rather seem to follow along with what most people are saying. Eg; Jerimiah’s blog post on this topic, before mine:
http://jeremiahgrossman.blogspot.com/2008/01/geekscom-compromised-but-relax-its.html